From: Roland Shoemaker Date: Wed, 29 Apr 2020 19:48:06 +0000 (+0000) Subject: encoding/asn1: only accept minimally encoded base 128 integers X-Git-Tag: go1.15beta1~206 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=176481990f39d8bf5330386c9468d1dd60d869ba;p=gostls13.git encoding/asn1: only accept minimally encoded base 128 integers Reject base 128 encoded integers that aren't using minimal encoding, specifically if the leading octet of an encoded integer is 0x80. This only affects parsing of tags and OIDs, both of which expect this encoding (see X.690 8.1.2.4.2 and 8.19.2). Fixes #36881 Change-Id: I969cf48ac1fba7e56bac334672806a0784d3e123 GitHub-Last-Rev: fefc03d2022e10b318e532ef5a461bb46016cf12 GitHub-Pull-Request: golang/go#38281 Reviewed-on: https://go-review.googlesource.com/c/go/+/227320 Reviewed-by: Filippo Valsorda Run-TryBot: Emmanuel Odeke TryBot-Result: Gobot Gobot --- diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go index fd4dd68021..90ba5775af 100644 --- a/src/encoding/asn1/asn1.go +++ b/src/encoding/asn1/asn1.go @@ -313,6 +313,12 @@ func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) } ret64 <<= 7 b := bytes[offset] + // integers should be minimally encoded, so the leading octet should + // never be 0x80 + if shifted == 0 && b == 0x80 { + err = SyntaxError{"integer is not minimally encoded"} + return + } ret64 |= int64(b & 0x7f) offset++ if b&0x80 == 0 { diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go index d5649bff9f..8daae97faa 100644 --- a/src/encoding/asn1/asn1_test.go +++ b/src/encoding/asn1/asn1_test.go @@ -1129,3 +1129,15 @@ func TestBMPString(t *testing.T) { } } } + +func TestNonMinimalEncodedOID(t *testing.T) { + h, err := hex.DecodeString("060a2a80864886f70d01010b") + if err != nil { + t.Fatalf("failed to decode from hex string: %s", err) + } + var oid ObjectIdentifier + _, err = Unmarshal(h, &oid) + if err == nil { + t.Fatalf("accepted non-minimally encoded oid") + } +}